On January 21, a security advisory drew widespread attention across the industry. Security researchers revealed a new form of supply chain attack affecting the Snap Store on the Linux platform. In this attack, adversaries took control of expired domains associated with legitimate developers, regained access to original developer accounts, and distributed tampered applications to users through official update channels, ultimately enabling the theft of crypto assets.
Attack Methodology and Technical Path
According to disclosed information, the attackers did not target newly registered developer accounts. Instead, they focused on publishers that had built long-standing credibility on the Snap Store but whose associated domains had expired. Once a domain lapse was identified, attackers promptly re-registered the domain and used the corresponding email address to trigger the password reset process on the Snap Store, thereby hijacking the original publisher identity.
As a result, software that users had installed years earlier and continued to trust could, after a seemingly “legitimate update,” be injected with malicious code. The entire process occurred within the official distribution channel, making the attack highly covert.
Impersonated Applications and Victim Impact Pathways
Confirmed cases indicate that some compromised publisher accounts distributed applications disguised as common cryptocurrency wallet clients. These apps closely resembled legitimate versions in both interface design and user interaction. Upon launch, the application first communicated with a remote server to verify the network environment, then prompted users to enter their “wallet recovery mnemonic phrases.”
Once submitted, this highly sensitive information was immediately transmitted to servers controlled by the attackers, allowing them to transfer assets within a very short timeframe. By exploiting users’ trust in official app stores and familiar software, such attacks often result in real losses before victims become aware of any abnormal activity.
Practical Implications of Supply Chain Risk
Unlike traditional phishing attacks, this type of incident does not rely on fake websites or malicious download links. Instead, it occurs directly within application distribution systems that are widely perceived as “secure.” This significantly reduces the effectiveness of user vigilance alone and highlights the critical role of software supply chains in crypto asset security.
For institutions and professional users, post-incident analysis of anomalous transactions, suspicious addresses, and fund flows has become an essential means of understanding and assessing the scope of losses. In practice, some teams integrate on-chain monitoring systems such as Trustformer KYT to conduct structured analysis of related transaction behaviors, supporting risk post-mortems and compliance assessments.
Conclusion
The Snap Store incident serves as a reminder that as attack techniques continue to evolve, crypto asset risks are expanding beyond isolated on-chain vulnerabilities into more complex software supply chain layers. In environments that heavily rely on automatic updates and third-party ecosystems, continuous monitoring of transaction behavior and fund flows is increasingly becoming a foundational measure for managing uncertainty and emerging risks across the industry.